Global Protect Pre-Logon followed by SAML SSO

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
NamalW
L1 Bithead

Global Protect Pre-Logon followed by SAML SSO

Hi Guys,

 

I have implemented global protect with pre-logon (device certificate) followed by user logon using SAML (Azure AD as SAML IDP)

When global protect client initiate the user authentication below windows security pop up asking to confirm the certificate.

NamalW_0-1599546178555.png

After confirming the certificate it connects fine and every time user reboot same pop up box comes up, if I replace the SAML auth with LDAP auth, I don't get any pops for certificate and everything works fine.

 

I have client certificate profile (internal Root and Intermediate CA) attached to client profile in each scenario ( LDAP auth vs SAML)

Also note that pre-logon works fine on each scenario and I can see before login to the machine globalprotect shows connected.

 

Has anyone come across this or similar issue?

 

 

 

 

OwenFuller
L4 Transporter

I'm not sure if this applies in your case, but I saw something similar when a user had two client certificates which matched the certificate profile. We solved it by deleting one of the unneeded certificates.

MP18
Cyber Elite

@NamalW 

 

I have seen this similar behaviour in our setup.

We also have GP pre logon with machine cert and then SAML Azure authentication.

 

That cert pop message is for  the certificate to sign SAML messages to IDP and we select that in Authentication profile.

 

Regards

MP
NamalW
L1 Bithead

@MP18  Is there any workaround to fix it? This is not convenient for users

MP18
Cyber Elite

@NamalW 

 

Do you have  more than 1 certs issued by your Intermediate Certs.?

either way you need to have SSL/TLS profile cert trusted by  either your Internal PKI or external certificate authority.

It needs same CA cert signed by the above one which your PC also trusts.

 

Regards

 

MP
rajjair
L1 Bithead

To stop the client certificate pop-up you need to make sure the VPN  url is either in your local intranet zone or in your trusted sites with IE Options configured "don't prompt for client certificate selection when no certificates or only one certificate exists " which needs to be set to enable 

 

For Chrome and Edge the policy AutoSelectCertificateForUrls

 

Microsoft Edge Browser Policy Documentation | Microsoft Docs

 

Chrome Enterprise Policy List & Management  |  Documentation (google.com)

MP18
Cyber Elite

@NamalW 

 

Also you can push this registry setting with GP agent then cert pop up will not occur.

Check this link

 

Certificate Selection by OID (paloaltonetworks.com)

 

Regards

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!